Using HSS to Prevent Weak Passwords

Scenarios

A weak password is short, common, or something that could be rapidly guessed by brute force attacks. Common weak passwords include but are not limited to the following:

• Common default system passwords, such as admin, root, Tomcat, and manager.
• Only digits, only letters, or a combination of numbers and letters, for example, admin123, 123456, and abcde.
• Passwords that have special meanings and can be easily guessed by others, such as the birthday, name, and mobile number.
• Multiple system accounts use the same password.

Weak passwords in the server system may bring the following risks:

• Information leakage: Attackers can intrude accounts and obtain users' privacy information and financial data through brute force cracking or password guessing.
• System damage: Attackers crack weak passwords to intrude the system and maliciously attack the system. For example, attackers can delete important data, implant malware, and maliciously modify programs, causing the system to break down or fail to run.

HSS can detect common weak passwords set in the server system and key software, including weak passwords of MySQL, FTP, Redis, and system accounts in the Linux system and weak passwords of system accounts in the Windows system. You are advised to use HSS to detect weak passwords in the server system, improve password security, and change passwords periodically to avoid security risks.

Prerequisites

HSS Professional, Enterprise, Premium, Web Tamper Protection, or Container Edition has been enabled for the server. For details, see HSS Access Overview.

How Do I Avoid Weak Password Risks?

1. Check whether there are servers with weak passwords.
   HSS can check whether the current server has weak passwords. The procedure is as follows:

   1. Configure a weak password detection policy.
      1. Log in to the management console.
      2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
      3. In the navigation pane, choose Security Operations > Policies.
         

         If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

      4. Click the name of the policy group to access the policy detail list.

         HSS provides multiple preset policy groups. After protection is enabled for a server, the server is bound to a preset policy group by default. You can also click Copy in the Operation column of a policy group. For details, see Creating a Custom Policy Group.

      5. Locate the row that contains the Weak Password Detection policy and click enable in the Operation column.
      6. Click the name of a weak password detection policy.
      7. Customize the scan time and interval for weak password detection. For details about the parameters, see Table 1.

         Table 1 Parameter description

         Parameter	Description
         Scan Time	Time point when detections are performed. It can be accurate to the minute.
         Random Deviation Time (Seconds)	Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.
         Scan Days	Days in a week when weak passwords are scanned. You can select one or more days.
         User-defined Weak Passwords	You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password. Enter only one weak password per line. Up to 300 weak passwords can be added.
         Password Complexity Policy Check	A password complexity policy refers to the password rules and standards set on a server. If you enable Password Complexity Policy Check, HSS will check the password complexity policy when you manually perform a baseline check.

      8. Confirm the information and click OK.

         If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

   2. (Optional) Deploy a policy for the server.

      If you configure a weak password policy based on a newly created custom policy group in 1.a, you need to deploy the new policy group and apply it to the target server after creating and configuring the policy group. For details, see Deploying a Protection Policy.

   3. Check for weak passwords.

      HSS automatically performs a check for all server common weak passwords at 01:00 every day.

      If you have customized the time and period for automatic weak password detection in a. Configure a weak password detection policy, HSS automatically detects common weak passwords based on the configured time and period.

   4. View the weak password check result.
      1. In the navigation tree on the left, choose Risk Management > Baseline Checks. The Baseline Checks page is displayed.
         

         If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

      2. Click Common Weak Password Detection tab. In the list, you can view the existing weak passwords.

2. Change weak passwords to enhance password security.

   Check the server, account name, account type, and usage duration of the weak password detected from the 1.d. Log in to the server and change the password. For more information, see How Do I Set a Secure Password?.

3. Change the password periodically.

   You are advised to change the password every 90 days.

How Do I Set a Secure Password?

• Recommended password complexity

  To ensure password security, you are advised to set the password based on the following rules:

  • Consists of 8 to 26 characters.
  • Contains at least three of the following character types:
    • Uppercase letter
    • Lowercase letter
    • Digits
    • Special characters for Windows ECSs: ! @ $ % ^ - _ = + [ { ( ) } ] : , . / ? ~ # *
    • Special characters for Linux ECSs: ! @ $ % ^ - _ = + [ { } ] : , . / ? ~ # *
  • The password cannot contain the username or the username spelled backwards.
  • For Windows servers, the password cannot contain more than two consecutive characters of the username.
• Common methods for changing system passwords

  System	Procedure	Remarks
  Windows OS	To change the password in the Windows 10, perform the following steps: Log in to the Windows OS. Click in the lower left corner and click . In the Windows Settings window, click Accounts. Choose Sign-in options from the navigation tree. On the Sign-in options tab, click Change under Password.	None
  Linux OS	Log in to the Linux server and run the following command: passswd [<user>]	If you do not specify any username, you are changing the password of the current user. After the command is executed, enter the new password as prompted. NOTE: Replace <user> with the username.
  MySQL database	Log in to the MySQL database. Run the following command to check the database user password: SELECT user, host, authentication_string From user; This command is probably invalid in certain MySQL versions. In this case, run the following command: SELECT user, host password From user; Run the following command to change the password: SET PASSWORD FOR'Username'@'Host'=PASSWORD('New_password'); Run the following command to refresh password settings: flush privileges;	None
  Redis database	Open the Redis database configuration file redis.conf. Run the following command to change the password: requirepass <password>;	If there is already a password, the command will change it to the new password. If there has been no password set, the command will set the password. NOTE: Replace <password> with the new password.
  Tomcat	Open the conf/tomcat-user.xml configuration file in the Tomcat root directory. Change the value of password under the user node to a strong password.	None